Electronic health information and privacy

October 27, 2010

Peer-to-peer (P2P) network aggregator Limewire has decided to pull the plug on its filesharing client to comply with a court injunction.

Lime Company, the firm that develops and maintains the Limewire client software, said that as of today it is "required to stop distribution and support of LimeWire."

Its software allowed users to search for content on Bittorrent and Gnutella, and not surprisingly, the big media mafia had been waging a litigation war against its parent company for some time.

Last year the firm was hammered by a US District Court judge, who said that Limewire users "commit a substantial amount of copyright infringement" and that the software "enables infringement for the success of its business".

After such a ruling Limewire's capitulation was inevitable.

The problem for the big media cartels is that although they might have been able to shut down Limewire, the networks it searched for content still exist.

While Bittorrent receives all the media attention, Gnutella represents a bigger technological problem, as it is a truely decentralised network working on a 'gossipy' protocol, meaning that it can in theory operate perfectly well without any central servers.

Although Limewire was a popular starting point for many to obtain content from those underlying networks, the demise of the company that made the software is unlikely to lead to a long term decline in the filesharing of media content over P2P networks.

It's highly likely that something similar will appear soon, after all having over a million users is not to be taken lightly.

Online advertising offers marketers the chance to aim ads at very specific groups of people --- say, golf players in Illinois who make more than $150,000 a year and vacation in Hawaii.

Both papers focus on Facebook ads and show that in certain circumstances, advertisers --- or snoops posing as advertisers --- may be able to learn sensitive profile information, like a person's sexual orientation or religion, even if the person is sharing that information only with a small circle of friends.

Not surprisingly, the different accounts were shown different ads, because advertisers can specify what types of people they want to reach on the site.

In particular, the accounts that appeared to belong to gay people received ads for things like gay bars.

"The danger with such ads, unlike the gay bar ad where the target demographic is blatantly obvious, is that the user reading the ad text would have no idea that by clicking it he would reveal to the advertiser both his sexual preference and a unique identifier," the researchers wrote.

What's more, the identifier --- typically a cookie or a computer's Internet address --- does not necessarily disclose the identity of the person who clicked.

But privacy experts said an advertiser could potentially obtain the name in other ways and link it to the user's sexual orientation, perhaps by asking the person to sign up for a newsletter or fill out a form.

In a separate study, Aleksandra Korolova, a researcher at Stanford, said she was able to find the age and sexual orientation of specific Facebook users by tailoring certain ads to their profiles.

She said an attacker could use the technique to find other profile information that was not public, including relationship status and political and religious affiliation.

October 26, 2010

Somewhere in the New York City area there is a family-practice doctor who, government records suggest, pocketed more than $2 million in 2008 from Medicare, the federal insurance program for the elderly.

That made her one of the best-paid family-medicine physicians in the Medicare system.

But more noteworthy than the sum is her pattern of billing, which strongly suggests abuse or even outright fraud, according to experts who have examined her records.

The Wall Street Journal is prohibited from naming this physician despite the fact that the paper detected her by mining a database paid for by taxpayers.

Known as the Medicare claims database, it is a computerized record of the bills Medicare pays for medical treatment, and it is widely considered the single best source of information on the U.S. health-care system.

Federal investigators use the database to find fraud; academic researchers mine it to compare the cost and utilization of various services; and consultants make a business out of analyzing the data for a wide variety of health-care companies.

But the Medicare data come with a severe limitation: While the services and earnings of hospitals and other institutional providers can be publicly identified, such information is kept strictly confidential for doctors and other individual providers. The reason is that the American Medical Association, the doctors' trade group, successfully sued the government more than three decades ago to keep secret how much money individual physicians receive from Medicare.

The AMA has continued to defend this ruling, including in two cases in which federal appeals courts issued decisions last year.

"We support the release of information that will help physicians improve the care they provide, but the release of personal physician payment data does not meet that standard, and physicians, like all Americans, have the right to privacy and due process."

October 19, 2010

In 2009, the Canadian Anti-Fraud Centre fielded identity fraud reports from 11,095 Canadian victims.

Personal information scanned into certain digital photocopier hard drives can be easily tapped, according to a CBC News investigation probing the second-life of older machines that are re-sold or leased.

CBC purchased a used Canon Image Runner Colour 3200 from a UPS franchise on Kijiji, an online classifieds website.

Files included copies of income tax returns, health information gathered in a lab report, a driver's licence, a citizenship card and business documents.

The only way to definitively protect against a security breach would be to destroy the hard drives, he said.

"There's still magnetic residue on the hard drive that is recoverable, although it would take a lot of time and a lot of money to be able to recover that information."

Mail Boxes Etc. Canada, the franchiser of UPS stores in Canada, says its franchises were instructed in April to scrutinize photocopier security.

The office of the privacy commissioner acknowledges the privacy issues related to photocopier disposal but notes the issue has not been dealt with in an audit.

Brian Bowman, a business lawyer specializing in privacy and technology matters in Winnipeg, says many companies have yet to understand the security risk that photocopiers pose.

Affinity Health Plan, a New York managed care service, is notifying more than 400,000 current and former customers employees that their personal data might have been leaked through the loss of an unerased digital copier hard drive.

According to a press release (PDF) quietly issued earlier this month, some personal records were found on the hard drive of a copier found in a New Jersey warehouse.

The copier had previously been leased by Affinity and was then returned to the leasing company, the release states.

The disclosure follows the airing of a CBS News report that called attention to the practice of recycling or resale of copiers whose hard drives have not been properly erased.

The report showed the discovery of numerous medical records found on warehoused digital copiers.

An executive at a company that makes hard-drive-erasure products used a free forensics tool to glean the data from one of the copiers in the CBS News report.

The CBS investigation also turned up sensitive data from other organizations, including personal information from a restaurant in the Phoenix area and criminal records information from a Buffalo-area police department.

Affinity Health Plan says it has not had a chance to review the data found on the copier, but in a news report, a spokesman said the figure of 409,262 notifications includes former and current employees, providers, applicants for jobs, members, and applicants for coverage.

Failure to properly dispose of medical records is a violation of New York privacy regulations and could carry fines or other sanctions.

Now, experts are warning that photocopiers could be a culprit as well.

That's because most digital copiers manufactured in the past five years have disk drives, " the same kind of data-storage mechanism found in computers," to reproduce documents.

As a result, the seemingly innocuous machines that are commonly used to spit out copies of tax returns for millions of Americans can retain the data being scanned.

Some copier makers are now adding security features, but many of the digital machines already found in public venues or business offices are likely still open targets, said Ed McLaughlin, president of Sharp Document Solutions Company of America.

The telephone survey of 1,005 adults, conducted in January, also showed that 55 percent of Americans plan to make photocopies and printouts of their tax returns and related documents.

Added Paul DeMatteis, a security consultant and teacher at the John Jay College of Criminal Justice at the City University of New York: "We know there are bad people out there.

He couldn't specify names but said a few of his company clients did learn about the vulnerability after their copiers were resold and the new owners, " in good faith," notified them of the data residing on the disks.

Smaller businesses and everyday consumers are less likely to know about the risk, but should, he said.

Experts contend that the shared information," even that of Facebook app users who (thought) they had their profiles completely locked down, is more of a flaw of Internet life than insidious plot."

Facebook says it is taking steps to "dramatically limit" the exposure of users' personal information, after a WSJ investigation showed that personal IDs were being transmitted to third parties via Facebook apps.

On Sunday, a Facebook spokesman said it is taking steps to "dramatically limit" the exposure of users' personal information.

Many top applications on Facebook have been transmitting identifying information to Internet tracking and ad companies.

The apps reviewed by the Journal were sending Facebook ID numbers to at least 25 advertising and data firms, several of which build profiles of Internet users by tracking their online activities.

In this case, however, the Journal found that one data-gathering firm, RapLeaf Inc., had linked Facebook user ID information obtained from apps to its own database of Internet users, which it sells.

RapLeaf also transmitted the Facebook IDs it obtained to a dozen other firms, the Journal found.

Marketers are spying on Internet users - observing and remembering people's clicks, and building and selling detailed dossiers of their activities and interests.

User privacy is the priority for Internet social networking site Facebook, which has come under fire from users for its privacy settings, the company's director of market development said on Sunday in Dubai.

"Privacy, I would say, is the number one most important thing for our company, and we're always listening to feedback," Randi Zuckerberg, the sister of Facebook co-founder Mark Zuckerberg, said on the first day of the GITEX information and communication technology exhibition.

"We've recently rolled out a lot of new updates and controls to privacy.

"We're always trying to listen to feedback and giving people more and more controls."

While Facebook has become the world's most popular social network with more than 500 million users, it has also been criticized for complex privacy controls and for requiring users to opt out of features that allowed access to their information.

Earlier this year, 14 privacy and consumer protection groups sent a letter to the US Congress saying "Facebook continues to manipulate the privacy settings of users and its own privacy policy so that it can take personal information provided by users for a limited purpose and make it widely available for commercial purposes."

Asked about whether the site has faced pressure to share information with governments, Zuckerberg said: "The only way that we would share any information is if there was an inquiry into criminal activity on Facebook" such as if "someone ...

The Middle East is home to about 15 percent of Facebook users, Zuckerberg said, with about two million in the United Arab Emirates, of which Dubai is a regional IT hub.

German ministers criticised social networking site Facebook on Sunday for failing to respect privacy, following a report of a serious flaw that allowed non-subscribers access to private data.

German newspaper Frankfurter Allgemeine reported that a glitch potentially allowed anyone access to the contact lists of subscribers.

New subscribers to Facebook are required to enter their email address.

However, by entering the email address of an existing user, it was possible to view their full list of contacts, until they had responded to a security request.

This would potentially allow access to hundreds of names, contact details and other personal information, the newspaper reported.

Germany's consumer affairs minister Ilse Aigner criticised the company for a "series of dubious practices".

The glitch shows "Facebook's lack of respect for the privacy of Internet users", she told the newspaper.

Justice minister Sabine Leutheusser-Schnarrenberger also criticised Facebook, telling the newspaper it "lacked consideration in the management of personal data".

Facebook has become the world's most popular social network with around 500 million users, but it has been dogged by complaints about poor privacy protection.

Randi Zuckerberg, the sister of co-founder Mark Zuckerberg, told reporters at a forum in Dubai on Sunday that privacy was the company's top concern and it would continue to give people more controls.

Internet privacy is a particularly contentious issue in Germany, where the recent launch of Google's Street View service was delayed to allow residents the opportunity to block out their homes from public view.